Re: [DNSOP] extension of DoH to authoritative servers

Ted Lemon <> Tue, 12 February 2019 18:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 51B12130DE7 for <>; Tue, 12 Feb 2019 10:44:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dHQwGpSD2yhr for <>; Tue, 12 Feb 2019 10:44:04 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::62f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 34999130DC4 for <>; Tue, 12 Feb 2019 10:44:04 -0800 (PST)
Received: by with SMTP id 101so1709591pld.6 for <>; Tue, 12 Feb 2019 10:44:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=kP1aUXcc7hcPqxv5Uj7aGIIQsvSctkdVDBkzLkUWG2M=; b=yn5oGD0lhfyUbll2X2YSOr4H3oSklWLzK8SdvAHBRDnixvCBf4vP17gL7HsN65tEJ1 PmMxdrCFYvFESUAdvszQSuMtOmqP6uyarNwrKfBQIBQ78ouK4SKpmf0d117J2+BWQc+/ m9T+jA5pJSNxWM24DC76K3QmUb1k16QsnjPXkf9BAf7A3++4MgPXzR+L2gfx9Qn9/ioV BurknxUX1+4nEG/xeEYw1SXrhhHQuJ4y/GNurdd6+s1VntoFvB6s7hTNYoAtS3JcnUK6 1pTjNu47sW63KYkaGDZ2WkXdn/1kN4L3+fW4GzfvbFi5NGA9X3Hfv/SgDt4D/waeV6+X LMfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=kP1aUXcc7hcPqxv5Uj7aGIIQsvSctkdVDBkzLkUWG2M=; b=nix0VfQlwmp25s2av66mjfdkjoqOtjjLExHrOLNRK7ImaDNa2v7iVMTHigco0pgR0t leNtyfTmALpxSOqEaa9R18hdCYeE1IJ9kfupj6UKfWGLWYmsiIaH6v9A35rkFCakXWDr Y7c+mu1tmjTnSg/jjihKX+L52ZBjUOhjNcb6d/Hi5Lo99wFBuhAyDGZvKR9wQdAMAGCZ RMxTW2DzR9C6CPIDAujxylY6NaO2X0iLlLJ2U7CsSUM2imTwfy7MWfY63J8iW/maUmdz kHoJGylT3iBHckFnNE9titRcoCAAEUnajNSevJ8FLlXy+ubFR+DN7zcaJBqG/pBCs5B5 WL5g==
X-Gm-Message-State: AHQUAuamW4wOONfZ7uuKrUoQaiTukksWUeFUTWQpFweAis4BF7FloQob NDMUR1lYn809V0bUGFWVAqb+NQ==
X-Google-Smtp-Source: AHgI3IaNuly8YQ1QdS0pJtai6Ir/e3WRZUMz9xe5vzyedDlbK2th0dY6ulinikAuSJf2SYjK/1gmXA==
X-Received: by 2002:a17:902:aa44:: with SMTP id c4mr5312204plr.91.1549997043626; Tue, 12 Feb 2019 10:44:03 -0800 (PST)
Received: from [] ([]) by with ESMTPSA id j3sm7027281pff.82.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Feb 2019 10:44:02 -0800 (PST)
From: Ted Lemon <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C5948D01-6BD1-48C2-9C8B-8C5E035B32CF"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Tue, 12 Feb 2019 10:44:01 -0800
In-Reply-To: <>
Cc: David Conrad <>, dnsop <>
To: Paul Vixie <>
References: <> <> <> <> <>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <>
Subject: Re: [DNSOP] extension of DoH to authoritative servers
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 Feb 2019 18:44:06 -0000

On Feb 12, 2019, at 10:34 AM, Paul Vixie <> wrote:
> netflow. such traffic _looks_ abnormal.
> the deliberate design premise of DoH is that it look normal.

It’s either one or the other.   DoH is such traffic.  If it looks abnormal, you can do something about it.   If it doesn’t, you can’t.   It’s not the case that nefarious traffic that is not DoH is special in looking different.  Or rather, to the extent that you are good at identifying and blocking such traffic, that will naturally select for solutions that are less easily identified, and eventually the steady state will be exactly what you are afraid of with DoH.   To the extent that DoH is less obvious than these other techniques, you could legitimately say that it is an example of this process of natural selection.   It just happens to be visible to you, whereas all the other examples are not, because they are being done by black hats, not by the IETF.